CEO Vladimir Katalov of the security software company Elcomsoft has published a post on CrackPassword outlining where he believes Apple’s two-step authentication comes up short. While he admits that the authentication works as advertised and it’s a good idea for people to enable it, he has also identified some areas that he thinks could use some improvement.

Back in March, Apple joined the list of tech companies rolling out two-step authentication in an effort to increase user security. Two-step authentication works by requiring users to provide an additional piece of information beyond their username and password when logging into their account on an untrusted device. In Apple’s case, the additional piece of information is a security code that will be sent to a trusted device whenever a new device tries to access an account. This helps to try and limit the amount of damage that a malicious person could do to your account if they were to acquire your Apple ID and password.

According to Apple, two-step authentication will require you to enter the additional security code when doing the following:

Sign in to My Apple ID to manage your account.

Make an iTunes, App Store, or iBookstore purchase from a new device.

Get Apple ID-related support from Apple.

Katalov’s asserts that the missing item from the list is iCloud. iCloud data is not protected by two-step authentication and as such, if your account is compromised, an attacker could restore an iCloud backup to one of their own devices. Normally if this were to happen, you would get an email alerting you that a new device has signed into your iCloud account. However, in Elcomsoft’s testing they were able to download an iCloud backup using their own Phone Password Breaker tool and the notification email did not get triggered. This means that an attacker with your account credentials could download a backup of your device with all of your data and you wouldn’t even know.

One big question is why would Apple exclude iCloud data from the protections of two-step authentication? The reason for this decision by Apple is likely one of user convenience. Currently if something were to happen to your iPhone, you could get a new one at the Apple Store and immediately start restoring the device from the iCloud backup (assuming you have iCloud backups enabled). If two-step authentication was required for this, the user would need to have another trusted device available to receive the security code on in order to authorize the new device. It’s possible that Apple consciously made this security tradeoff for the sake of convenience and user experience.

If you have two-step authentication enabled, leave it on. You’re not putting yourself at any additional risk over users who leave it turned off, and in fact, are still safer than if you were to turn it off. Rolling out two-step authentication was a step in the right direction for Apple, but what remains to be seen is if they have plans for rolling out a more secure, robust authentication system down the line.

I tried to avoid using it. There was a big discussion going on at the time that claimed the JSON requests that it used were secure, but ultimately I came to the conclusion that regardless, by not encrypting the traffic, it was far too vulnerable for me.